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STAT 


MEMORANDUM 


TO: Deputy Director » IC Staff 

FROM: 

DATE: May 15, 1985 

SUBJECT: Proposed COMPUSEC Uniform Safeguards Actions 


STAT 


The Dies forwarded the Report "Uniform SAFEGUARDS for 
Protection of Critical Systems' Processing Intelligence Information" 
to the DCI on 26 January 1985. In this SAFEGUARDS report, the DCI 
stated his intent to take several actions: namely; 

1. To promulgate as mandatory standards for critical 
systems, the 29 SAFEGUARDS in the report. 

2. To utilize, in a transitional stage, the SAFEGUARDS 
as complementary to DOD Computer Security Center 
qualified products, services and trusted system 
criteria. 

3. To ensure that these above actions are implemented 
by the end of FY 86. 

As you recall, an original set of 41 consensus-derived 
safeguards were identified in 1983 by an IC Task Group as necessary to 
protect against known vulnerabilities of SCI systems. These 
safeguards were intended to be the basis for mandatory and voluntary 
standards to be imposed by the DCI on electronic SCI-handling systems. 
In addition, the first SCI systems required to meet the mandatory 
standards were to be the thirteen critical systems so designated by 
the DDCI. The 41 SAFEGUARDS were used in the assessments of the 13 
"critical systems." Thru this process, it was determined that a 
number of the 41 SAFEGUARDS could not be implemented without the 
development of "trusted systems" which are still being identified by 
the DoDCSC. As a result, the 41 SAFEGUARDS were revised to include 29 
SAFEGUARDS that are achievable in the 13 "critical systems." As such 
the identified 29 safeguards served to meet the requirement for 
mandatory standards requested by the DDCI in his memo of 6 May 1983. 
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There is no standards process or infrastructure within NFIC 
that could adequately fund, develop, impose, monitor, and "police* 
COMPUSEC standards. Hence, the building of such a process and in-> 
frastructure took on a high priority in my COMPUSEC Project. During 
this same time period, January - July 1984, formative NSDD<-'145 actions 
were occurring which essentially precluded any Community-wide atten- 
tion to this issue through my project. And indeed NSDO-145 as signed 
by the President on 17 September, 1984 addressed COMPUSEC standards 
responsibilities in such a manner as to make unclear and uncertain, 
the allowable actions by the DCI. A "first-look* interpretation would 
conclude that the DCI has no "authority* anymore in standards-setting 
in NFIC. In fact, the NTISSC under NSDD-145 has a ctivated a workin g 
group to undertake COMPUSEC Standards activities, 
represents the DCI and the DDCI on this group. 


Proceeding along this line of reasoning does imply, however, 
that the DCI still has the distinctive authority for levying require- 
ments and schedules for the standards required to permit COMPUSEC 
accreditiation of SCI-handling systems. Still vague, are the issues 
relating to whom the requirements are levied upon, how firm can be the 
DCI's control over his needed standards-development activities, and 
what is his required schedule for standards imposition (under 
NSDD-145) . 


In terms of what the DCI "stated" that he would do in his 
transmitted Safeguards report of 22 January 1985, I believe that the 
DCI should sign out the following two memos. ’ Also, he should sign 
them out as soon as possible because of the "support" they will pro- 
vide to State and DIA both of whom are really trying to implement the 
Safeguards we developed. 

Finally, it is still quite unclear as to how NTISSC with its 
Committee mode of action can get standards developed and can help NFIC 
members in obtaining funds to implement the standards. 

I will be glad to help in any way to expedite this action. 


STAT 
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